Note: if this isn't working make sure that /etc/ssh/ssh_config isn't
overriding these settings

Limiting a user to ssh portforwarding only

This is useful if you want to let someone pivot through you or portfward but
not to have them get a shell on your receiver box. This setup was done on an
ubuntu server running openssh, should work anywhere openssh is found...

setup user on server

sudo useradd no-access-user
sudo mkdir -p /home/no-access-user/.ssh

For that user create .ssh/authorized_keys with the users public key and some
restrictive flags.